What I learned in the #Security track at #SAP TechEd 2013

Now that I have been back from Las Vegas long enough to get moved into a new office building, deal with issues after our upgrade go-live last week, and update all my Customer Messages, I can start to process everything I took in during the conference. Although I did not spend the whole week attending Security track sessions, I did come away with some great learning to share and tips for those yet to attend TechEd, so if you work in SAP security or compliance, this post is for you.

The first security track session I attended was a hands-on, SIS260 on RFC security, Good-bye to SAP_ALL and S_RFC wild cards. My first clue that this was going to be a good session was seeing people queued up for the extra seats- at a security session! Yes, that was a new experience for me, and I was very glad I was registered. In this session, we learned about several new transactions, including STAUTHTRACE, STUSOBTRACE, and UCONPHTL. My lab partner and I successfully configured the Unified Connectivity (UCON) and went through the exercise of removing the excessing access. The exercise handout included some excellent reference material, including a list of relevant Notes. If securing SFCs has been a challenge for you, I would definitely recommend this session

The next security session I attended was my own presentation, SIS208, Security Influence Council – Customers and SAP Working Together. The point of this session was to familiarize attendees with ASUG Influence and the recent accomplishments of our Council, as well as encourage customers to consider joining the Council. The scope of the next phase is the SAP Enterprise Portal. Now who among us has ever said, “if only security/ user admin/ reporting in the Portal was better?” If that is you, our Council needs you. It is not too late to join in our efforts to collaborate with SAP on improvements to the Portal. Email Influence@ASUG.com to sign up or for more information.

The next day I attended SIS107, an ASUG customer case study on Florida Crystal’s implementation of GRC 10 Access Control. Unlike a lot of us, Florida Crystal did not migrate from 5.3; theirs was a fresh implementation, which spared them a lot of migration challenges. An important lesson learned for them was that their managers would delete the request notification emails or forget to click the button, so they recognized their need for more/ better end user education, probably a good reminder for all of us whether we are a fresh implementation or migrating to GRC 10 from a previous release.

I had already become familiar with Read Access Logging (RAL) via an ASUG web cast I hosted earlier this year, but I attended SIS104 anyway, just to see what was new since then, and I am very glad I did. I knew that RAL was available in NetWeaver 7.40, but now it is also downported to NetWeaver 7.31 SP 9, and it is expected to be downported to other releases next year, so that was important news

For anyone confused by or unsure about the best approach to SAP’s security corrections, SIS206 is the session for you. Sorting out the differences between RSECNOTE, SAP System Recommendations, and Configuration Validation, including the relative ease of each, was a key takeaway.

The other hands-on session I attended was SIS261 on Your Way to Secure ABAP Code. Although neither my lab partner nor I am an ABAP developer, we knew enough to stumble through the exercises with only a few questions. For me a key takeaway was that NetWeaver 7.31 SP5 includes the ABAP Test Cockpit, and the Security Code Scan tool is available as of NW 7.31 SP9. However, according to the speaker (OK, now, don’t shoot the messenger here!) a separate license is involved. Yes, at that announcement, there were some long faces and grumbling in the lab.

Another ASUG session I attended was SIS207 , Secure and Compliant through Outsourcing, Consolidation, and Globalization. The security team had a lot of change going on at their organization, Armstrong, and their approach for dealing with all of it, as well as their lessons learned and suggestions, were very informative. In my opinion, management support for the security team surely was a differentiator and important factor in their success.

Yes, it was a lot to take in, and that wasn’t all I did during the fast paced week, but the rest of it will need to be covered in another post. If you attended TechEd in Las Vegas, be sure to check your USB drive for these presentations. If your TechEd experience is yet to some, watch for all but the ASUG sessions at your own TechEd, and I hope your TechEd is as good for you as mine was for me

2 Comments

Nice coverage of a largely overlooked area at TechEd! As you said, it is a shame that security/provisioning folks tend to get their best SAP information at 3rd party conferences and not at TechEd. I hope these “niche” tech areas do not get further and further pushed out as SAP focuses TechEd more and more on “the platform”.